The permission policy AliyunActionTrailDeliveryPolicy is used to grant permissions related to event delivery. This topic describes the scenarios that the permission policy is applicable to and the permissions of the policy.

Scenarios

  • Access Log Service

    If you specify a Log Service project to store event logs, ActionTrail must create a Logstore in the specified project and write event logs to the Logstore. In this case, ActionTrail must use the AliyunActionTrailDeliveryPolicy policy to obtain the permissions to access Log Service.

  • Access Object Storage Service (OSS)

    If you specify an OSS bucket to store event logs, ActionTrail must write event logs to the specified OSS bucket. In this case, ActionTrail must use the AliyunActionTrailDeliveryPolicy policy to obtain the permissions to access OSS.

Permissions

Policy: AliyunActionTrailDeliveryPolicy

The following code block shows the AliyunActionTrailDeliveryPolicy permission policy:

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "oss:PutObject",
                "oss:GetBucketLocation"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:GetProject"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:PostLogStoreLogs",
                "log:CreateLogstore",
                "log:GetLogstore",
                "log:CreateIndex",
                "log:UpdateIndex",
                "log:GetIndex"
            ],
            "Resource": "acs:log:*:*:project/*/logstore/actiontrail_*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:CreateDashboard",
                "log:UpdateDashboard"
            ],
            "Resource": "acs:log:*:*:project/*/dashboard/*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "log:CreateSavedSearch",
                "log:UpdateSavedSearch"
            ],
            "Resource": "acs:log:*:*:project/*/savedsearch/actiontrail_*",
            "Effect": "Allow"
        }
    ]
}

The permission policy allows ActionTrail to access resources in Log Service and OSS. The following table describes the operations that are allowed by the permission policy.

Action Description
oss:GetBucketLocation Obtains the region where a specified OSS bucket resides.
oss:PutObject Writes event logs to a specified OSS bucket.
log:GetProject Queries whether a Log Service project exists.
log:PostLogStoreLogs Writes event logs to a specified Log Service Logstore.
log:GetLogstore Queries whether a Log Service Logstore exists.
log:CreateLogstore Creates a Log Service Logstore.
log:CreateIndex Creates an index.
log:UpdateIndex Updates an index.
log:GetIndex Obtains an index.
log:CreateDashboard Creates a dashboard.
log:UpdateDashboard Updates a dashboard.
log:CreateSavedSearch Creates a saved search.
log:UpdateSavedSearch Updates a saved search.